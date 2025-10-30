APRA member Suzanne Smith has expressed the prudential regulator's concerns around entities relying on a concentrated set of technology providers.

Smith said dependency on the cloud and movement of workloads to the cloud environment has exponentially increased third-party and concentration risk, data security and privacy concerns.

"One concern APRA is paying close attention to is concentration risk. Across banking, insurance and superannuation, critical operation delivery often hinges on a concentrated set of technology vendors in areas such as the cloud, processors, network, software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS). That means if one of these technology providers fails, even temporarily, they can potentially take down services at every company relying on their services," Smith said.

Smith said APRA requested regulated entities submit a list of their material service providers so it could assess the scale of the issue.

"We have now begun analysing the data to develop a financial system-wide view of entities' reliance on third party service providers and where particular concentration risks may lie," Smith said.

"As finance, telecommunications, emerging technologies, and platforms increasingly converge, APRA will continue to engage with government and regulatory peers as the Critical Infrastructure reforms evolve further.

"Our focus will remain on shaping sector-wide incident playbooks; improving information sharing; and participating in exercises that test industry coordination with government regulatory agencies including the Council of Financial Regulators."

This comes after Amazon Web Services (AWS) apologised this week for a massive global outage.

Many large financial institutions in Australia use AWS, including Macquarie Group, NAB and ANZ, as well as millions of apps, websites and government systems across the globe.

Smith said entities should be undertaking their own work independently to address third-party and concentration risk.

"This includes undertaking service interdependency mapping and credible scenario testing involving both complete failures and 'degraded mode' operations. These need to be routine and broadly-visible - not 'once and done'," Smith said.

"Auditors should look for scenario design that includes multi-entity, multi-vendor failures, and for clear customer outcome metrics when operating in contingency modes.

"Your checks need to go beyond checking documents to properly validating whether tolerance levels, mapping, and testing, truly capture real points of failure across first, second, third, and further, parties."